Iran is using malware variants in two separate state-sponsored cyber espionage operations around the globe, the XDR (extended detection and response) cybersecurity research company Cybereason announced Tuesday.
Follow Israel Hayom on Facebook, Twitter, and Instagram
According to Cybereason, the Iranian malware cyber espionage is targeting a wide range of organizations in different parts of the world. Researchers identified a previously undocumented remote access trojan (RAT) named "StrifeWater" that the company attributes to Iranian threat actor Moses Staff. This APT (advanced persistent threat) has been noted targeting organizations in the US, Israel, India, Germany, Italy, United Arab Emirates, Chile and Turkey.
After infiltrating an organization and exfiltrating sensitive data, the attackers deploy destructive ransomware to cause operational disruptions and make forensic investigation more difficult.
Cybereason also discovered a new set of tools developed by the Phosphorus group (also known as Charming Kitten, APT35) that includes a novel PowerShell-based backdoor dubbed "PowerLess," as well as an IP address used in the attacks that was previously identified as part of the command and control (C2) for the recently documented Memento ransomware.
Phosphorus is known for attacking medical and academic research organizations, human rights activists, the media, and exploiting known Microsoft Exchange Server vulnerabilities and for attempting to interfere with US elections.
The company observed similar abuse of open-source tools in both Iranian cyberattack operations.
Cybereason co-founder and CEO Lior Div explained that the recently discovered Iranian cyber espionage campaigns "highlight the blurred line between nation-state and cybercrime threat actors, where ransomware gangs are more often employing APT-like tactics to infiltrate as much of a targeted network as possible without being detected, and APTs leveraging cybercrime tools like ransomware to distract, destroy and ultimately cover their tracks."
According to Div, "there is no longer a significant distinction between nation-state adversaries and sophisticated cybercriminal operations. That's why it is crucial for us as [cyber] defenders to collectively improve our detection and prevention capabilities if we are going to keep pace with these evolving threats."
Subscribe to Israel Hayom's daily newsletter and never miss our top stories!
